Yet somehow there’s still a ton of money in web3/crypto. It’ll be a long time before the AI money dries up.

Correct (which is why I mentioned Kata, as that’s a container runtime backed by microvms, sort of like how AWS uses firecracker to run lambdas and “serverless” container workloads)

I do the port knocking at the firewall level (it’s a pretty simple nft chain setup). Caddy isn’t involved at all. I was thinking about integrating that into my caddy config using something akin to an operator, but I haven’t needed any extra functionality yet.

I went a different path than the VPN route that seems popular in the other comments…

I use a reverse proxy (caddy) with wildcard SSL (so all my hostnames aren’t in the public cert registry) plus port knocking. So normally no outside IPs are allowed to access my internal services, but I can knock and then access anything for a while. Working well so far.

Containers don’t need VT/SVM (unless you’re doing something weird like Kata Containers)

To be fair, California has some of the strictest gun laws in the US. That’s a low bar though.

This law is stupid, but it’s coming from some nobody in the bay area trying to get her name out there, not Newsom

I would also suggest looking into k0s/k0sctl for deploying k8s. I think it’s probably the easiest deployment method I’ve personally used. It also makes updates dead simple.

For deploying things to k8s, these days LLMs can write the k8s manifests pretty easy if there isn’t already helm or kustomize files available.

That’s a basic requirement for almost any company. If you’re into hard coding credentials just use wireguard directly.